A virtual machine (VM) where some applications are configured to use the local HTTP proxy and/or TOR client.

Each of these setups has different disadvantages and neither fits my requirements:

In the browser approach I had to turn off all plugins (Java, Flash, ..) and Javascript so they can not leak information about the local system. Unfortunately this breaks many websites nowadays.

The tsocks/torify approach works for most applications but they may leak information about the local system themselves. Anyway there is a small risk of just forgetting to type the “torify” in front of the command I want to execute which I really do not want to happen.

The VM approach is like putting the two previous approaches into a VM. So the risk of leaking local information is reduced to the VM. Anyway I have to make applications running within the VM explicitely use the TOR network. Besides I want to take care that no other traffic but TOR is going out of the VM which means I have to set up a packet filter on the host.

One solution might be to transparently route a VM through the TOR network so that a VM does not need to be modified in any way. It is quite simple and should work on all OS although I just tried it on a Linux host. As already said, the VM can run any OS!

The host must to redirect all TCP packets to a transparent SOCKS proxy which itself forwards the packets to a TOR client. UDP packets with destination port 53 are redirected to a small script which puts the payload into a TCP packet and forwards it to a TOR client. This is necessary because TOR itself can only handle TCP packets. The host must drop all other packets coming from the VM.

How this works under a Linux host:

Create an unprivileged user “torbob” that runs the VMs.

Choose a virtualization software. I decided to go for qemu/kvm since I am already familiar with it. Using Virtualbox or VMware should also work.

Install, configure and run a transparent SOCKS proxy. I use redsocks but there are also others around. Remember the port it is listening on (31337 in this case). Update: This is not necessary anymore, because Tor has an inbuilt SOCKS proxy since version 0.2.0.1-alpha. Just add “TransListenAddress 127.0.0.1″ and “TransPort 31337″ to your torrc.

Configure and run the tor-dns-proxy.py script from dsocks which does the UDP->TCP packet DNS conversion and remember the port it is listening on (1253 in this case). Update: This is not necessary anymore, because Tor has this inbuilt since version 0.2.0.1-alpha. Just add ” DNSListenAddress 127.0.0.1″ and “DNSPort 1253″ to your torrc. If you want to be able to resolve .onion domains, you also have to add “VirtualAddrNetwork 10.192.0.0/10″ to your torrc.